Tuesday, September 28, 2010

Investigating .NET Padding Oracle Exploitation with padBusterdotnet

Everyone in the security industry has crashed into the amazing research of T. Duong and J. Rizzo of Netifera Security named Padding Oracle Attacks. This research hit the media again some days ago because also Microsoft .NET Framework was found extremely vulnerable to it.

Some tools have been released to perform this particular attack, but no public tools at the moment work with .NET Ajax Framework as shown in the original .NET exploit video at Ekoparty conference.

Important Update: I'm happy that the publication of our mods, which were the first this morning, speeded up the publication of different private tools. Now Gotham Digital Science security has just released the new version of Padbuster (v0.2) which supports Net UrlToken Encoder/Decoder check it here.

Update 04/10/2010: Today Padbuster v0.3 now supports attacks against .NET applications to download files from the webroot. The attack for downloading Web.config is similar to the first attack we published two days ago, but it adds several important features to it. We suggest to read it!

How does Padbusterdotnet work

Padbusterdotnet is very similar to the original Padbuster. The main difference is that it uses a re-implemented version of Microsoft UrlTokenEncoder() and UrlTokenDecoder() functions. It also does not Urlescape() parameters by deafult.

How does Padbusterdotnet applies to .NET Ajax Handlers

Microsoft Ajax Handlers are publicly exposed by default and accept encrypted strings of data which are NOT signed. This means that could be possible to perform byte by byte substitutions from an original string and check response errors for guessing intermediate values.

Webresource.axd and Scriptresource.axd are very similar, except the fact that they have a different error handling code.So, if "customerrors = off" both handlers are practically the same.

Update 2/10/10: If "customerrors = ON" and 404 pages are handled differently from 500 pages, you should use WebResource.axd (Note: This is good for both Framework 2.0 - With Ajax 1.0 and for framework 3.5 Sp1). To abuse the padding Oracle with "Customerrors = ON" you need to use WebResource.axd with valid "d" encrypted data as prefix. "d" parameter to be valid for WebResource handler must contain at least a single pipe char "|" after decryption. In short terms use the tool with "-prefix" option. This was the approach used initially in the original attack video (POET vs .NET).

Update 3/10/2010: if you use the "T exploit" and remote site is running framework 3.5 Sp1 or above, you just need to bruteforce the first block with average 150 requests to decrypt any message. And you need to check just for 200 status codes. More info on the "T" block exploit.

Update 4/10/2010 More info on 200 vs 404 Status codes: Padbuster v0.3 and .NET attacks. This approach is more efficient because it uses the infamous "T" block for abusing the Padding Oracle.

To make things more complex (:D) the code of ScriptResource.axd was heavily modified during years. That's why we suggest to use all the approaches described above in this section to have the Padding Oracle speaking.

All errors are 404 exception and the Padding Oracle is turned off if you do not use a "T" block as prefix.

How to check if my site is vulnerable?
To check if your site is vulnerable make the following requests:

http://www.mysite.co/notexistentpage.aspx - if you have verbose messages you are vulnerable since "customerrors" are not enabled

Check if the response to "http://www.mysite.co/notexistentpage.aspx" vs the response to "http://www.mysite.co/WebResource.axd?d=wrongstring" do match. If these 2 responses are different you are potentially vulnerable

This feature is available through ScriptResource.axd only in .NET Framework 3.5 Sp1 and above (Framework 2.0 cannot be abused in this way). You should issue a particular string - "R|~/Web.config" - correctly encrypted using Padbusterdotnet tool.

@Anonymous: Thank you for your comment. I'm working on it. Since the IV is not passed, you should manipulate the first encrypted block, since the values are passed as the IV of the second block. You should have a message of at least 2 encrypted blocks.

In this way you should be able to bruteforce the padding values. If you can brute successfully the last byte of the first block, you can presume that you have the encrypted value for 0x01. Now you can XOR it with the value you have obtained and you get the intermediate value. If you XOR the intermediate value with the original LAST byte of the first block, you should get a number that indicates the number of padded values (like 0x06).

When encrypting using the padding oracle, you have to start from the last block.As the IV for block N is the encrypted value of block N-1, you don't have control over N-1.If you could pass the IV, it wouldn't be a problem, but here, you end up with a block with IV 8*0x0 and I don't see how you can modify this

@Anonymous: Yes, you are right. I was trying the tool against a Target with AES enabled. The tool works correctly I just made a bug in the decoder section. As I explained previously if you know the value of the IV vector that should be enough.

For making it easier to use, I have added a IV with fixed number of nullbytes. It will be soon up again.

OK, slight misunderstanding, I'm not speaking about decryption which is trivialI'm speaking about encryption ;) (as you cannot provide the IV to ASP.NET, the first "newly encrypted block" normaly uses the IV 0x0*8 but the decryption only gives garbage)

1) You encrypt this payload with Padbuster "|||~/web.config". You will end with 2 blocks of |IV|block1|0padblock|2) What is missing is that now you need to bruteforce the first block until you download Web.config.

Thanks for the great blog. After reading the blogs I have cleared all my queries about Padbusterdotnet, Webresource.axd and Scriptresource.axd. But I also read about the difference between PadBuster and PadBusterdotnet where it uses a re-implemented edition of Microsoft UrlTokenEncoder () and UrlTokenDecoder () functions. It also does not Urlescape () parameters by default.

@Anonymous: exactly, it's not possible to retrieve the "Web.config" file in .NET 2.0. There are no available features that permit do download files. That features are available from .NET 3.5 sp1 onward.

What would be the format to retrieve a file in a sub-directory within the web application? e.g. |||~/site/sub-directory/site.config doesn't seem to work even though |||~/web.config works OK and the site.config file is known to exist.

About Minded Security

Minded Security
is the Software Security Company that supports you to build, deliver and use more secure software. Minded Security helps businesses and organizations to build secure products and services.